Re: Security release procedures
Julian Foad wrote on Wed, 28 Aug 2019 11:41 +00:00:
> * Drop the CVE? (steps 8, 15, 16)
> For cases that are not looking like a very high severity, we could
> omit the CVE process and much of the formal description associated with
> it. CVEs are a Good Thing, but they do require extra effort and we don't
> have to do that for every vulnerability.
> Instead, on a case by case basis, we could choose to omit the CVE
> (even drop it after initially requesting one) and summarize the issue at
> a lesser level of detail.
I don't follow. There is a distinction between "the issue has a CVE name",
"the issue has an advisory", and "the issue's fixed is developed on private@
[using either the security-by-obscurity process or the confidential process]".
Which of these three do you propose to do away with?
Received on 2019-08-29 02:36:36 CEST
This is an archived mail posted to the Subversion Dev